search

CycloneDX / cyclonedx-node-npm

Create CycloneDX Software Bill of Materials (SBOM) from Node.js NPM projects.
https://cyclonedx.org/
Apache License 2.0
74 stars 20 forks source link

[BUG] In context of npm workspaces (monorepo), sbom generation for workspace does not work if workspace does not contain node_modules (even if empty) #1109

Closed Donorlin closed 1 year ago

Donorlin commented 1 year ago

Describe the bug

Hi, i have monorepo repository that looks like this

/packages
   /packageA
      - package.json
   /packageB
      - package.json
   /packageC
      - package.json
-  package.json  // root, workspaces = ["packages/*"]

Packages A, B, C are independent, publishable npm packages, with their respective dependencies, name, version and so on..

I am running this to generate SBOM for packageA:

cyclonedx-npm packages/packageA/package.json --omit dev --mc-type library --output-reproducible --output-file packages/packageA/bom.json --short-PURLs

from the root. (same if i run it from packages/packageA)

But if packageA does not containt node_modules folder - EVEN IF EMPTY - command will fail and print:

LOG   | No evidence: no package lock file nor npm shrinkwrap file
LOG   | No evidence: no node_modules dir
INFO  | ? Did you forget to run `npm install` on your project accordingly ?

Error: missing evidence

This must be a bug. Because when i create empty node_modules folder in packages/packageA everything runs fine. SBOM is correctly generated with its content as expected for the packageA.

To Reproduce

NPM workspaces monorepo mentioned above. Since npm decouples dependencies to root node_modules, it is less common to have node_modules in respective workspaces. For this to not work, you must not have node_modules folder in packageA folder.

Run from root

cyclonedx-npm packages/packageA/package.json --omit dev --mc-type library --output-reproducible --output-file packages/packageA/bom.json --short-PURLs

or from packages/packageA

cyclonedx-npm --omit dev --mc-type library --output-reproducible --output-file bom.json --short-PURLs

Expected behavior

I expect SBOM to be correctly generated for package A, based on its dependencies. (it works, but node_modules must be present)

Environment

jkowalleck commented 1 year ago

Not a bug, but a lack of feature. Please write a proper feature request, to make clear what the scope is and how a use case might look like.

Thank you in advance. 👍

jkowalleck commented 1 year ago

feature request: #1126